The allocation for abort_msg_s does not account for the integer in the struct to store the message length, because of which at some lengths of messages (at multiples of page size) this may result in a buffer overflow. Fix coming up. Thanks to Qualys for reporting this.
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578 commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Fixed on trunk.
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.39/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=808a84a8b81468b517a4d721fdc62069cb8c211f commit 808a84a8b81468b517a4d721fdc62069cb8c211f Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.38/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c32fd59314c343db88c3ea4a203870481d33c3d2 commit c32fd59314c343db88c3ea4a203870481d33c3d2 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3d7865b098a3a67c44f7812208d9ce4718873ba commit a3d7865b098a3a67c44f7812208d9ce4718873ba Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 commit 7971add7ee4171fdd8dfd17e7c04c4ed77a18845 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.
The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b5d4be762419c4f6176261c6fea40ac559b88dc commit 8b5d4be762419c4f6176261c6fea40ac559b88dc Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.
The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761 commit df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cdb9ba84191ce72e86346fb8b1d906e7cd930ea2 commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
The release/2.41/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=69fda28279b497bd405fdd442a6d8e4d3d5f681b commit 69fda28279b497bd405fdd442a6d8e4d3d5f681b Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d6c156c326999f144cb5b73d29982108d549ad8a commit d6c156c326999f144cb5b73d29982108d549ad8a Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.39/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f6d48470aef9264d2d56f4c4533eb76db7f9c2e4 commit f6d48470aef9264d2d56f4c4533eb76db7f9c2e4 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f984e2d7e8299726891a1a497a3c36cd5542a0bf commit f984e2d7e8299726891a1a497a3c36cd5542a0bf Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.37/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b989519fe1683c204ac24ec92830e3fe3bfaccad commit b989519fe1683c204ac24ec92830e3fe3bfaccad Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.36/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0487893d5c5bc6710d83d7c3152d888a0339559e commit 0487893d5c5bc6710d83d7c3152d888a0339559e Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.35/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b3d09dc0d350191985f9d291cc30ce96f034b49 commit 8b3d09dc0d350191985f9d291cc30ce96f034b49 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=31eb872cb21449832ab47ad5db83281d240e1d03 commit 31eb872cb21449832ab47ad5db83281d240e1d03 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 31 12:16:30 2025 -0500 assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)